[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] SuSEFirewall doesn't work?



Hi,

thanks everbody for your comments. I checked the version of my SuSEFirewall2 
and it is not outdated. But thank you for that suggestion.

What I didn't know - oh bloody beginner! - is that the firewall "remembers" 
outgoing requests and opens for the answers. OK, could have guessed that, 
though.

Just one more question: Is there any command or tool that can display which 
services or programs are running on a certain port on my computer? If you 
take a look at the following entry of my log file you will see that someone 
from source port 80 is connecting to (or trying to?) my local port 1077. So I 
am curious. Which software is running there, or at any other (high) port of 
interest? Is there any way to find out? (OK, I know that there's a list of 
ports and protocolls for low ports in /etc/protocolls; but what about higher 
ports?)

SuSE-FW-ACCEPT IN=eth0 OUT= MAC=00:a0:d1:d5:b4:3c:00:09:5b:a8:3e:c0:08:00 
SRC=64.151.x.x DST=192.168.0.2
 LEN=52 TOS=0x00 PREC=0x00 TTL=46 ID=2083 PROTO=TCP SPT=80 DPT=1077 
WINDOW=7504 RES=0x00 ACK URGP=0 OPT (0101080A91D5DF560015679A)


Thanks again!
markus.


On Monday 10 May 2004 22:01, Markus A. Radner wrote:
> Hi there!
>
> I have this weird problem with my SuSEFirewall2 on SuSE 9.0.
> I haven't opened any ports intentionally, but my log file says, that a lot
> of access attempts on highports get THROUGH the firewall.
>
> I have hundreds of entries like this in my /var/log/messages file:
>
> SuSE-FW-ACCEPT IN=eth0 OUT= MAC=00:a0:d1:d5:b4:3c:00:09:5b:a8:3e:c0:08:00
> SRC=213.165.x.x DST=192.168.0.2
> LEN=73 TOS=0x00 PREC=0x00 TTL=57 ID=16216 DF PROTO=TCP SPT=110 DPT=1435
> WINDOW=5792 RES=0x00 ACK PSH URGP=0 OPT (0101080A0A4992810070F15B)
>
> My computer is behind a router/firewall. Someone tries to connect at port
> 1435 (and a lot of different other highports as well!). I disabled access
> to highports and I only allowed DNS and DHCLIENT as valid services. At
> least this was what I was thinking! Here's all the settings of my
> SuSEFirewall2 file. If anybody could explain waht's going on I'd really be
> grateful.
>
> FW_QUICKMODE="no"
> FW_DEV_EXT="eth0"
> FW_DEV_INT=""
> FW_DEV_DMZ=""
> FW_ROUTE="no"
> FW_MASQUERADE="no"
> FW_MASQ_DEV="$FW_DEV_EXT"
> FW_MASQ_NETS=""
> FW_PROTECT_FROM_INTERNAL="yes"
> FW_AUTOPROTECT_SERVICES="yes"
> FW_SERVICES_EXT_TCP=""
> FW_SERVICES_EXT_UDP=""
> FW_SERVICES_EXT_IP=""
> FW_SERVICES_DMZ_TCP=""
> FW_SERVICES_DMZ_UDP=""
> FW_SERVICES_DMZ_IP=""
> FW_SERVICES_INT_TCP=""
> FW_SERVICES_INT_UDP=""
> FW_SERVICES_INT_IP=""
> FW_SERVICES_QUICK_TCP=""
> FW_SERVICES_QUICK_IP=""
> FW_TRUSTED_NETS=""
> FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
> FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
> FW_SERVICE_AUTODETECT="yes"
> FW_SERVICE_DHCLIENT="yes"
> FW_SERVICE_DHCPD="no"
> FW_SERVICE_SQUID="no"
> FW_SERVICE_SAMBA="no"
> FW_FORWARD=""
> FW_FORWARD_MASQ=""
> FW_REDIRECT=""
> FW_LOG_DROP_CRIT="yes"
> FW_LOG_DROP_ALL="no"
> FW_LOG_ACCEPT_CRIT="yes"
> FW_LOG_ACCEPT_ALL="yes"
> FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix
> SuSE-FW"
> FW_KERNEL_SECURITY="yes"
> FW_STOP_KEEP_ROUTING_STATE="no"
> FW_ALLOW_PING_FW="no"
> FW_ALLOW_PING_DMZ="no"
> FW_ALLOW_PING_EXT="no"
> FW_ALLOW_FW_TRACEROUTE="no"
> FW_ALLOW_FW_SOURCEQUENCH="yes"
> FW_ALLOW_FW_BROADCAST="no"
> FW_IGNORE_FW_BROADCAST="yes"
> FW_ALLOW_CLASS_ROUTING="no"
> FW_REJECT="no"
> FW_HTB_TUNE_DEV=""
>
>
> yours,
> markus.

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here